skill_id: DOC-CHANGE-CONTROL version: 1.0.0 last_updated: 2026-01-04 applies_to: [Class A, Class B, Class C] jurisdiction: [FDA, EU MDR, Global] prerequisites: [REG-IEC62304, REG-ISO14971, DOC-INLINE]

Change Control Process

Purpose

Define controlled process for software changes: requests, impact analysis, approvals, verification, and configuration management in regulated contexts.

When to Apply

• Any change to safety-relevant software, requirements, design, tests, or configuration items.
• Defect fixes, updates, refactors, and dependency/SOUP updates.

Requirements (testable)

1. Change Request: Document change description, rationale, items affected, and trace links (requirements, hazards, tests). Rationale: clarity.
2. Impact Analysis: Assess safety, cybersecurity, interoperability, documentation, and submission impact (FDA/MDR). Rationale: risk-aware decisions.
3. Approval: Obtain appropriate approvals (engineering + QA/RA) before implementation for safety-relevant changes. Rationale: governance.
4. Verification: Define and execute verification/validation scope for the change; include regression tests. Rationale: assurance.
5. Configuration Management: Update baselines, versions, and release notes; ensure traceability of change to artifacts. Rationale: auditability.
6. Submission Considerations: Flag changes that may trigger regulatory submission/update; record decision. Rationale: compliance.

Recommended Practices

• Use templates for change requests with required fields.
• Include SBOM updates when dependencies change.
• Capture change risk level (minor/major) and tailor verification accordingly.
• Link commits/PRs to change request IDs.

Patterns

Change request (YAML):

CR-145:
  description: Fix over-infusion timing edge case
  rationale: observed jitter at low battery
  affects: [REQ-62304-102, RISK-CTRL-19, TEST-410]
  risk: major
  submission_impact: no (reviewed QA/RA)

Verification entry:

Tests: TEST-410, TEST-411 rerun; new TEST-415 added for low-batt timing
Result: PASS

Anti-Patterns (risks)

• Implementing changes without impact analysis -> risk: missed verification, submission gaps.
• Skipping approvals for safety changes -> risk: noncompliance.
• No linkage to tests/requirements -> risk: lost traceability.
• Not updating SBOM after dependency changes -> risk: unmanaged vulnerabilities.

Verification Checklist

• Change request recorded with rationale and affected artifacts.
• Impact analysis completed (safety, cyber, interoperability, submission).
• Approvals obtained per policy for safety-relevant changes.
• Verification/regression defined and executed; results recorded.
• Baselines/versioning/release notes updated; traceability maintained.
• Submission impact decision documented.

Traceability

• Change IDs (CR-###) linked to requirements, risks, commits/PRs, and test evidence.
• Store decisions and approvals with release artifacts.

References

• IEC 62304 (configuration management and change control).
• FDA/MDR expectations for software change impact and documentation.

Changelog

• 1.0.0 (2026-01-04): Initial change control skill with impact analysis and approval process.

Audit History

• 2026-01-04: Audit performed. Verified:
  • IEC 62304 configuration management and change control references accurate
  • FDA/MDR change impact documentation expectations correctly noted